#!/bin/sh
#
# This is the command file that is used to get a chroot'ed user into their jail (node in
# the file system where only those programs necessary for the user's work have been
# loaded). For this to work, the user should have been setup with the script 'create_chroot'
# to establish the appropriate lines in '/etc/sudoers' that will allow the commands
# here to work. Sudoers is configured as closely as possible to the commands used here
# so that the user can only execute those commands.
# NOTE: Never edit sudoers by hand, always use the program '/usr/sbin/visudo'.
#
# The user's encrypted home directory is mounted at the location of their home
# directory. It's actually mounted over top of the place where the user's home
# directory would be. To allow the user to see the encrypted file system after they
# are in the jail, '-o allow_other' must be used with encfs. The side effect
# here is that anyone logged into the machine, who is NOT in a jail, will be able
# to see a file while it is unencrypted. This should be OK since only chroot'ed
# users are supposed to use this machine. The alternative would have been to mount
# the file system after the chroot, but that would require more files in the jail
# (encfs, fusermount), and more possibilities for security holes. The user's files
# will remain 'plain text' till the idle timeout time specified by the '-i n' ('n'
# minutes of activity) in the encfs command. Then the encroypted file system will
# be unmounted and the plain text files no longer available.
#
# Many directories are mounted by this script, because those directories contain
# lots of files needed by the user (for 'R' and 'X11' in particular). Rather than
# unmount the directories after the user exits their login shell (this is problematic),
# the method used here is to check to see if the file system has been mounted so as
# to not mount it again. So once the user has logged in after a reboot, these library
# file systems will remain mounted till the machine is shut down. These file systems
# are mounted read only so that no sensitive data can be placed on them by the user.
#
# Another interesting problem is that the 'sshd' is (by default) expecting to
# see each user's private key at '~/.ssh/authorized_keys' but the user's encrypted
# file system would overlay this. The solution is to configure the sshd to keep
# the authorized keys out of the user's area and in some place on the server that
# 'sshd' can get to, but the user cannot. This is good because installing these 
# is an administrative task, not a user task. It's done by setting...
# AuthorizedKeysFile /PublicKeys/%n/authorized_keys
# in the '/etc/ssh/sshd_config' file and setting the appropriate protections on
# the //home/PublicKeys directories...
# chmod 755 /home/PublicKeys (everyone can read this)
# chown %n:%n /home/PublicKeys/%u
# chmod 700 /home/PublicKeys/%u (only the user %u can read this)
# chown %n:%n /home/PublicKeys/%u/authorized_keys
# chmod 400 /home/PublicKeys/%u/authorized_keys (only the user %u can read this)
# SSHD will not startup if the permissions are either too restrictive or too lean.
#
# To see what SSH does run it like this '/usr/sbin/sshd -d -d -d', but be sure to stop
# any current running sshd servers using '/etc/init.d/sshd stop'.
#
# enchroot is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# enchroot is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser Public License for more details.
#
# You should have received a copy of the GNU Lesser Public License
# along with enchroot. If not, see <http://www.gnu.org/licenses/>.
#
# Copyright (c) 2010 charles@kollar.com
#

#
# Global configuraiton/options are set in this file...
. /usr/local/etc/enchroot.conf

# see..
# http://www.yonahruss.com/unix/xlib-putty-x11-proxy-wrong-authentication-protocol-attempted.html
#
# The .Xauthority key is written after the user logs in and before the encfs
# runs. Because the file is 'locked', the 'xauth' program will not generate
# a new file on the encrypted file system that is mounted later. The solution to this
# is to delete any .Xauthority* files right before mounting the encrypted file system.

JAILPATH=$HOME_CHROOT/$USER

myUID=`id | awk '{print $1}' | awk -F '(' '{print $1}'`
myGID=`id | awk '{print $2}' | awk -F '(' '{print $1}'`
XAUTHINFO=$JAILPATH/tmp/.Xauthority-$USER
HOME_P=`/bin/grep "encfs $JAILPATH/home/$USER" /etc/mtab`
if [ "$HOME_P" == "" ] ; then
  # The encrypted file system is mounted over top of the user's home directory. This is 
  # the place where .Xauthority file lives. So, we save the information and restore it
  # after mounting the user's file system.
  /usr/bin/xauth list | grep unix | awk -F '/' '{print $2}' >  $XAUTHINFO
  /usr/bin/sudo /usr/bin/encfs -i $IDLE_TIMEOUT -o allow_other -o nonempty -o $myUID -o $myGID $HOME_ENCRYPTED/$USER $JAILPATH/home/$USER
  if [ -s $XAUTHINFO ] ; then
    # don't do this if the file is empty...
    /usr/bin/xauth -i add `cat $XAUTHINFO`
  fi
  /bin/rm -f $XAUTHINFO
fi

#
# If any of these file systems have been mounted, don't mount them again...
#
# Also, remember to add the dismounting of any new directories mentioned here to
# the script 'delete_chroot'.

# For now, everyone get's '/dev'. In the future, we need to look into creating just the
# files that the user needs in '/dev' when loading the packages for the jail...
DEV_P=`/bin/grep "$JAILPATH/dev" /etc/mtab`
if [ "$DEV_P" == "" ] ; then
  /usr/bin/sudo /bin/mount -o bind /dev $JAILPATH/dev
fi

#
# It is important to 'cd' to a point within the user's mount point 'before' issuing
# the 'chroot' command. Otherwise the current directory of the user is not within
# their portion of the file system.
cd $JAILPATH/home/$USER

# Note:
# The '/bin/su' that is called here is the one in the chroot jail
/usr/bin/sudo /usr/bin/chroot $JAILPATH /bin/su - $USER "$@"
